What is HTTP Request Smuggling? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)HTTP Request Smuggling[Back to Glossary](/glossary)HTTP Request Smuggling
======================

A technique that exploits differences in how front-end and back-end servers parse HTTP requests, allowing attackers to smuggle malicious requests.

vulnerabilityHTTPadvanced attack

HTTP request smuggling exploits discrepancies between how a front-end server (load balancer, reverse proxy, CDN) and a back-end server determine the boundaries of HTTP requests. By crafting ambiguous requests where Content-Length and Transfer-Encoding headers disagree, an attacker can cause the front-end and back-end to disagree on where one request ends and the next begins.

This allows attackers to "smuggle" a request that the front-end treats as part of a legitimate request but the back-end interprets as a separate, malicious request. The smuggled request can bypass security controls, poison web caches, hijack other users' requests, or exploit reflected XSS vulnerabilities without user interaction.

Variants include CL.TE (front-end uses Content-Length, back-end uses Transfer-Encoding), TE.CL (reverse), and TE.TE (different Transfer-Encoding parsing). HTTP/2 downgrade smuggling is a newer variant affecting H2-to-H1 proxying.

How APVISO tests for this: APVISO's pentester agent sends carefully crafted ambiguous HTTP requests to detect CL.TE, TE.CL, and TE.TE smuggling variants. It uses timing-based detection techniques to identify desync without causing disruption to other users.

Related Terms
-------------

[Security Misconfiguration](/glossary/security-misconfiguration)[Cross-Site Scripting (XSS)](/glossary/cross-site-scripting)

Test your applications for http request smuggling vulnerabilities
-----------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
